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TTTLE QFTHE INVENTION 

10 . 

METHOD FOR PROVIDING SINGLE STEP LOGON ACCESS TO A 
DIFFERErmATED COMPUTER NETWORK 

B ArKfiROUND QFTHE INVKNTinN 

15 

Hie presmt invention relates to a method for providing sisiplified access to 
subscribers of a diffo-entiated computer network. Spedfically, Qie present invention 
20 relates to a method /or aUowmg dngle step log-on access to a network having more than 
one separate access area, such as a netw(»k divided into both public and-pnvate areas, 
where access to public areas is provided by a conventional Network Access Searvn, or 
NAS, and access to private areias is provided by a separate Service.Sdectioii Gateway, or 
SSG. 

75 . 

2. Background » 

Every day, millions of people around the world perform the modem ritual of the 
network **log-on.** From the user standpoint, the process is sin9>Ie: if all goes welli after 
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a click of the mousep and perhaps a few quick keystrokes, the short melodic overtme of 
compute exchanging bits begins, and the intrepid user soon finds himself speeding 
down the Inforaiation Superiiighway. Mercifully, the user is usually spared from having 
to know anything about the techmcal details of the log*on procedure, which involves 

s multiple servers working in concert to handle the thousands of subscribers who seek 
access to the network at any given time. The continued success of compute n^cnking 
technology depends on keeping access easy. As networks have evolved, however, they 
have begun to differentiate into areas that provide specialized services to seleaed users. 
Because of this trend, security and user-authorization protocols are becoming more 

10 complicated, often in ways that conflict widi the need for easy accessibility. 

In order to gain access to a computer network, such as the World-Wide*Web, or 
the Internet, or a private Intranet network, a user must first dial-in or otherwise connect 
to a Network Access Server, or NAS. The N AS serves as a gate between fte computer 
15 network and the user. As a threshold matter, the NAS must authenticate the identic of 
the subscriber in order to ascertain the nature and scope of the services that it will 
provide. Of course, if the network is diff^entiated into public areas that are accessible to * 
all subscribers generally, and private areas that are accessible only to authorized 
subscribers, then the us^'s identity is particularly important 

20 

The authenticadon'procedure generally involves another server, herein referred to 
as an Authentication, Authorization, and Accounting Server, or an AAA Server. The 
NAS is a clioit of the AAA Server, which may serve several client NAS's simultaneously. 
The NAS and the AAA Server communicate with one another according to a standard 
25 Internet protocol, such as the Remote Authentication Dial-In User Service (RADIUS) 
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protocol, developed by Uvingston Entoprises of Pleasanton, California. Hie description 
of the authentication procedure that follows is based on the RADIUS protocol. 

Typically, the user begins his or her session on the network by first launching a 
s dial-in application on his or her PC that prompts the user to enter some form of user 
identification, like a us»-name, and a private password. Such information may also be 
stored on and automatically provided by the PC. The dial-in application contacts an 
NAS, for instance, via modem and telephone line, and provides the NAS with the usa- 
entered information. The password data is usually encrypted using methods well-known 
10 to those of ordinary skill in the art. The NAS then prepares and sends an **access* 

request" packet to the AAA Server. The access request packet contains die data entered 
by the user, as well as additional data identi^ng the particular NAS client from which 
the packet was sent. 

IS The AAA Server contains a large database of stored information on die accounts 

of each subscriber, including user-names, encrypted passwords and configuration 
information detailing the type of service that is to be provided to each user. When die 
AAA Server receives an access-request packet from an audiorized NAS client, it consults 
its database of users to find the account entry for the user identified by the infonxiati0n 

20 contained in the access-request packet. The account entry will often specify certain 
requirements diat must be met in order for the user to gain access to the network, 
including infoimation on the clients and ports on die network which die user is allowed 
to access. An important requirement, of course, is that die password entered by die user 
match die password specified in the account entry on the AAA database. If die 

25 passwords match, and all the other requirements are met, dien the AAA Server sends the 
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NAS an ''access-accept packet in response. The access-accept packet contains 
configuration data that enable the NAS to provide the desired service to the user. 

If any requirement is not met, then the AAA Server responds with an ''access- 
reject" packet mdicating that the user request in invalid. The access-reject packet may 
also contain text messages which may be delivered to the user by the NAS. Even if all 
the requirements are met, the AAA Server may still deny immediate access to the user 
and instead issue an "access-diallenge*' packet that prompts the user for new 
information before access is finally granted. 
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In order for the network to communicate with the mei, the user must be assigned 
an DP address. User IP addresses are usually assigned dynamically, meaning that a user's 
IP address can change from session to session. The IP address can^be assigned either by 
the AAA Serva, or by iht NAS. Once an IP address has been asagned to the us», the 
15 user is logged-on to the NAS and can begin his or her session on the network. After 
logging the user on, the NAS sends ian "accounting-start" packet to the AAA Server, 
containing information regarding, for instance, die time at which the user's session 
begins, or other administrative and accounting data, that can be stored on the AAA 
Server's database. 
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A complication in this scheme arises when the network contains private areas 
whose access is regulated by a third senrw , herein referred to as a Service Selection 
Gateway, or SSG Server. The'sSG Server is inserted between the NAS and die AAA 
Server, and its function is to create secure channels to private areas of die network for 
25 authorized users only. In order to access these private areas, an authorized user must 
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somehow iQg-on to the SSG server as well. 

Of course, it is possible to simply inflict upon the user the job of perfonmng a 
second log-on to fht SSG Server after die first log-on to the NAS. Hus approadi is 
5 rather cumbersome and inelegant, however, and it requires the use of a separate and 
largely redundant software application on the user's PC, called a "dashboard." In order 
for an authorized user to access private areas of die network through the SSG Server, he 
or she must first log on to the network using the primary dial'-in application, dien launch 
die dashboard, and thai log on a second time with the SSG Server. 

10 

This solution leaves much to be desired. The xomeni diat comes from staring at . 
pixellated cartoons of tiny telephones on a computer moniti^, occasionally {<x minutes 
at a time, as a PC attempts to log-on to i heavily-trafficked network, is aheady an all-too 
famihar source of frustration to many subscribers of computer network services. Such 
15 delays can be caused, for instance, by die large number of access requests that must be 
handled by die AAA Server. The second log-on to die SSG requires a second 
audiorization to access data from a private network and therefore simply adds 
unnecessarily to die trafBc jeen by die AAA Saver. It also requires die user to re-enter 
his or her username and password. 
20 . . 

Unfortunately, it ii not enough to simply pass username and password 
information from die NAS to die SSG Server. Widiout die user IP address, die SSG 
Server has no way to send information from die private areas of the network to the user. 
Vfidlt it might be possible to reconfigure die NAS to provide die IP address to die SSG 
25 Server direcdy, or demand diat IP addresses are assigned by die AAA Server instead of 
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the NAS, a more practical solution would view both the MAS and AAA Server as fixed 
and inviolate, and would seek instead to adapt the behavior of (he SSG Server. 

Accordingly, it is an object and advantage of the present invention to provide 
5 single step log-on acce ss to a diffe rentia ted computer netwOTk having more than one 
separate access area, such as a network divided into both public and private areas, 
where access to public areas is provided by a conventional Network Access Server, or 
NAS, and access to private areas is provided by a separate Service Selection Gateway, or 
SSG. 

10 

Another object and advantage of the present invention is to provide single st^ 
log*on access to a differentiated computer network having more dian one separate 
access area, such as a network divided into both public and private areas, where access 
to public areas is provided by a conventional N AS, and access to private areas is 
15 provided by an SSG, without altering Oe behavior of the NAS. 

Another object and advantage of the present invention is to provide single step 
]og-on access to a. diifeitntiated computer network having more than one separate 
access area, such as a network divided into both public and private areas* where access 
20 to public areas is provided by a conventional NAS, and access to private areas is 
provided by an SSG, without altering the behavior of the AAA Server. 

Yet another object and advantage of the present invention is to provide single 
step log-on access to a di£r<»entiated computer network having more than one sieparate 
23 access area, such as a netw(ark divided into boith public and private areas, without the 
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need for a sq>arate dashboard applicatioo. 



5 



The present invention is a me^od for providing single step log-on access for a 



subscriber to a diffaentiated computer network having more than one separate access 
area. The method involves intercepting packets of data between the NAS and the AAA 
Server with an SSG Server, and manipulating these packets to obtain inframation 
needed by the SSG Server to log the user on automatically, without requiring the user to 
10 re-enter usemame and password data, or launch a separate application. Once ^e usa is 
logged-on to the SSG Server, die SSG is able to provide the user with secure access to 
additional areas of the network. From the user's point of view, the log-on procedure 
with the SSG Server is identical to the log-on procedure without it. 



FIG. 1 is a schematic drawing of a network of three servers and a differentiated 
computer network.. 
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BRIEF DESCRIPTION OF THE HGURES 



20 



FIG. 2 A, 2B, and 2C are drawings illustrating the osdex in iK^cb packets are 
exchanged in a network of diree servers during log-on. 



nETAn.H) DESCRIPTION OF THE INVENTION 
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Those of ordinary ddll in the art will realize that Uie following descripdon of the 
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present invention is illustrative only and is not intended to be in any way limiting. Otter 
embodiments of the invention will readily suggest themselves to such dulled persons 
from an examination of the within disclosure. 

s In a presently -preferred embodiment of the invention, illustrated in HG. 1 , a 

subscriber PC 1 to a computer network S having both public and private areas 6, 7 is 
linked to a Network Access Server, or NAS 2. The NAS 2 is linked to an Auttientication, 
Authorization, and Accounting Server, or AAA Server 4 through a Service Selection 
Gateway, or SSG 3. The NAS 2, SSG 3, and AAA 4 Servers communicate with one- 

10 another according to the Remote Access Dial-in Uso* Service protocol, or RADIUS. The 
details of the RADIUS protocol are well-known to those of ordinary skill in the art 
Moreover, as will be apparent to those of ordinary skill in the art, only a few general 
features of the RADRJS protocol are utilized by (he present invention. The meOiods of 
present invention described herein are thoefore applicable to any other authentication 

IS protocol equivalent in relevant part to the RADIUS protocol. 

In essence, the need for a second log-on to iht SSG Server 3 is obviated by 
allowing the SSG Server 3 to intercept and forward all packets of data exchanged 
between the NAS 2 and the AAA Server 4. To the NAS 2, tiie SSG Server 3 simply acts 

20 as a proxy AAA Server 4. The presence of die SSG Serf a 3 is unfelt by the NAS 2, 
which continues to behavb exactly as if were connected directly to the AAA Server 4. 
By "eavesdropping" on the communications between the NAS 2 and the AAA Server 
4, the SSG Server 3 is able to obtain all the information it needs to log the user on 
auttmiatically, without requiring the user to re-enter data, or to launch a separate 

2S ' application. The methods of the present invention do not require any alteration in die 
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behavior of the NAS 2, or the AAA Server 4. 

As described above^ the user initiates a session on the network 5 by launching a 
dial-up application on his or her subscriber PC 1. The dial-up application prompts die 

s user for user-name and password infonnation, and contacts ihe NAS 2. The NAS 2 
prepares an access-request packet containing the us^-specified infonnation, as well as 
information about the NAS client 2 itself. Instead of being delivered directly to the AAA 
Server 4, however, the access-request packet is first intercepted by the SSG Server 3» at 
step 200. Since the access-request packet contains usemame and password infonnation, 

10 receipt of the access*request packet by the SSG Server 3 siq)plants the need for 
requiring the user to supply this information to the SSG Server 3 using a separate 
dashboard application. However, as described above, the SSG Senrer 3 still needs the 
user IP address to complete the log-on procedure. The user IP address, however, has not 
yet been assigned, and exva stq)s must be taken before the SSG Server 3 can ofiidally 

IS log the user on. 

The SSG Server 3 forwards the access-request packet to the AAA Server 4 at step^ 
202. The AAA Server 4 first authenticates the user by checking the data attributes in the 
access-request packet against its account database. The AAA Server 4 thai responds to 

20 die access-request by issuing an access-reply packet back to the SSG S^er 3 at step 
204. If the user authentication check is successful, then die AAA Server 4 may assign an 
IP: address to the user and include this IP address m the access-reply packet. Hie SSG 
server 3 then checks for an DF^ address in the access-reply packet. If the SSG Server 3 
finds an IP address, then the SSG Server 3 can log the user on with the IP address 

25 provided by the AAA Server 4, and then forward the access-reply packet on to the NAS 
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2 immediately at step 206. Once the access«reply packet is received by the NAS 2, it may 
then log the user on as well, and the user session can begin. 



If the AAA Server 4 authorizes the user but does not assign an IP address, then 
5 the SSG Server 3 can log the user on with a dummy temporary IP address. It then assigns 
the user an identiilcadon number that it inserts into the access*reply packet before 
forwarding the access*rq>ly packet to the NAS 2 at step 206. The identification number 
is written as a special attribute in the access-reply packet, called a **class attribute*' in 
the RADIUS protocol. The class attribute is read and stored by the NAS 2 and echoed 
10 back unchanged in subsequent packets. The temporary IP address can be used as an 
identification number. 

Upon receipt of the access-rq>ly packet authorizing the user to access Ae 
network, the NAS 2 assigns a genuine IP address to the user and logs the user on. At 

15 step 208, the NAS 2 then prepares and sends an ''accounting*start" packet to the AAA 
Server 4, containing information like the time at which the usa began Ms or her session, 
as well as the genuine IP address assigned to the user by the NAS 2. The accountings 
start packet serves an administrative function and v/aaid be prepared and sent by the 
NAS 2 even without the presence of an SSG Server 3. The accounting start padcet is 

20 intercepted by the SSG Server 3 on its way to the AAA Saver 4. and will contain not 
only an IP address, but also the class attribute identifying the user to whom the IP 
address belongs. With Aese two jneces of information, the SSG Servtf 3 can xepUce the 
dummy IP address with the genuine IP address for the user, and log the user on officially. 
Finally, the SSG Server 3 forwards the accounting start packet to the AAA Server 4 at 

25 step 210. 
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In short; Hie user can now log on to both the NAS 2 and the SSG Server 3, 
without having to launch a second application, or perform a separate log*on to the SSG 
Server 3. From the vantage point of the user, the log-on procedure does not change in 
any way with the addition of the SSG Server 3, Because of the presence of the SSG 
Server 3, however, an authorized user is now able to gain secure access to, for example, 
private areas of the network, with the same ease that he or she is able to access the 
public areas. 

Altgmstivg Emt>Qdimfflts 

Although illustrative presently prefrared embodiments and applications of this 
invention are shown and described herein, many variations and modifications are 
possible which remain within the concept, scope, and spirit of the invention, and these 
variations would become clear to those of skill in die art after perusal of this application. 
For example, the invention can be used with any type of connection between a user and 
an NAS and need not be limited to dial*up telephone connections. The invention, 
therefore, is not intended to be limited except in the spirit of the appended claims. 
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